Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Twilio webhook replay could trigger duplicate voice-call actions in OpenClaw
GHSA-vqx8-9xxw-f2m7
Summary
A security issue in OpenClaw's Twilio integration could allow a bad actor to re-send a voice call event, causing duplicate or outdated actions to occur. This could lead to incorrect call states or unintended consequences. Update to OpenClaw version 2026.2.23 or later to fix the issue.
What to do
- Update openclaw to version 2026.2.23.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.23 | 2026.2.23 |
Original title
OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse
Original description
## Impact
Twilio webhook replay events could bypass voice-call manager dedupe because normalized event IDs were randomized per parse. A replayed event could be treated as new and trigger duplicate or stale call-state transitions.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `<= 2026.2.22-2`
- Patched version (released): `>= 2026.2.23`
## Remediation
The fix preserves provider event IDs through normalization, adds bounded replay dedupe in webhook security validation, and enforces per-call turn-token checks on call-state transitions.
## Fix Commit(s)
- 1d28da55a5d0ff409e34999e0961157e9db0a2ab
## Release Process Note
`patched_versions` is pre-set to the released version (`2026.2.23`) This advisory now reflects released fix version `2026.2.23`.2.23`.
OpenClaw thanks @jiseoung for reporting.
Twilio webhook replay events could bypass voice-call manager dedupe because normalized event IDs were randomized per parse. A replayed event could be treated as new and trigger duplicate or stale call-state transitions.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `<= 2026.2.22-2`
- Patched version (released): `>= 2026.2.23`
## Remediation
The fix preserves provider event IDs through normalization, adds bounded replay dedupe in webhook security validation, and enforces per-call turn-token checks on call-state transitions.
## Fix Commit(s)
- 1d28da55a5d0ff409e34999e0961157e9db0a2ab
## Release Process Note
`patched_versions` is pre-set to the released version (`2026.2.23`) This advisory now reflects released fix version `2026.2.23`.2.23`.
OpenClaw thanks @jiseoung for reporting.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-294
CWE-863
Incorrect Authorization
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026